ClawHub

Star Office Deploy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent dashboard deployment skill, but it pairs public internet exposure guidance with a trivially weak default password.

Install only if you are comfortable running the referenced local dashboard. Change ASSET_DRAWER_PASS from 1234 before any public tunnel or long-running deployment, review what notes and endpoints may be visible, and provide a Gemini API key only if you need the optional image-generation feature.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly recommends exposing a locally hosted service through Cloudflare Tunnel and focuses on convenience, but it does not instruct the operator to verify authentication, harden defaults, or consider what data becomes reachable over the internet. In this skill's context, the risk is amplified because the same document also describes weak default protection and shared-agent access, so internet exposure could make unauthorized viewing or modification much easier.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill documents a default sidebar password of `1234` and tells users they can use it initially for convenience, which normalizes deployment with trivially guessable credentials. This becomes significantly more dangerous in context because the same skill later suggests public exposure via Cloudflare Tunnel, creating a plausible path for unauthorized modification of assets or layout by anyone who can reach the service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal